Manage role groups in standalone EOP

In standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, you can use the Exchange admin center (EAC) to add users to role groups. Adding a users to a role group gives the user permissions to do specific admin tasks. You can also remove users from role groups.

For more information about roles and role groups, see Permissions in standalone EOP.

What do you need to know before you begin?

Tip

Having problems? Ask for help in the Exchange Online Protection forum.

Use the EAC to manage role groups

Use the EAC to view role groups

  1. In the EAC, go to Permissions > Admin roles. All of the role groups in your organization are listed here.

  2. Select a role group. The Details pane shows the Name, Description, Assigned roles, and Managed by of the role group. You can also see this information by clicking Edit Edit icon..

Use the EAC to create role groups

When you create a new role group, you can configure all of the settings yourself (during the creation of the group or after). Or, you can copy an existing role group and modify it.

  1. In the EAC, go to Permissions > Admin roles, and then do one of the following steps:

    • Manually create a new role group: Click Add Add icon..

    • Copy an existing role group: Select the role group that you want to copy and then click Copy Copy icon..

  2. In the New role group window that appears, configure the following settings:

    • Name: Enter a unique name for the role group.

    • Description: Enter an optional description for the role group.

    • Roles: Click Add Add icon. or Remove Remove icon. to select or modify the roles that are assigned to the role group.

    • Members: Click Add Add icon. or Remove Remove icon to modify the role group membership.

  3. When you're finished, click Save to create the role group.

Use the EAC to modify role groups

In the EAC, go to Permissions > Admin roles, select the role group you want to modify, and then click Edit Edit icon..

The same options are available when you modify role groups as when you create role groups. You can:

  • Change the name and description.

  • Add and remove management roles (create or remove role assignments).

  • Add and remove members.

Note: Some role groups (for example, Organization Management) restrict the roles that you can remove from group.

Use the EAC modify the list of members in role groups

  1. In the EAC, go to Permissions > Admin roles, select the role group that you want to modify, and then click Edit Edit icon..

  2. In the role group properties page that opens, in the Members section, do either of the following steps:

    • Click Add Add Icon.. In the page that appears, find the user that wou want to add, and then click add ->. Select users and click add -> many times as necessary. When you're finished, click OK.

    • Select the users that you want to remove, and then click Remove Remove icon.

  3. When you're finished, click Save.

    Note

    Users may have to sign out and sign in again to see the change in their administrative rights after you add or remove members from the role group.

Use the EAC to remove role groups

You can't remove built-in role groups, but you can remove custom role groups that you've created.

  1. In the EAC, go to Permissions > Admin roles.

  2. Select the role group you want to remove and then click Delete Delete icon..

  3. Click Yes in the confirmation window that appears.

Use PowerShell to manage role groups

Use standalone EOP PowerShell to view role groups

To view a role group, use the following syntax:

Get-RoleGroup [-Identity "<Role Group Name>"] [-Filter <Filter>]

This example returns a summary list of all role groups.

Get-RoleGroup

This example returns detailed information for the role group named Recipient Administrators.

Get-RoleGroup -Identity "Recipient Administrators" | Format-List

This example returns all role groups where the user Julia is a member. You need to use the DistinguishedName (DN) value for Julia, which you can find by running the command: Get-User -Identity Julia | Format-List DistinguishedName.

Get-RoleGroup -Filter "Members -eq 'CN=Julia,OU=contoso.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMPR001,DC=PROD,DC=OUTLOOK,DC=COM'"

For detailed syntax and parameter information, see Get-RoleGroup.

Use standalone EOP PowerShell to create role groups

When you create a new role group, you can configure all of the settings manually (during the creation of the group or after). Or, you can copy an existing role group and modify it.

  • To manually create a new role group, use the following syntax:

    New-RoleGroup -Name "Unique Name" -Description "Descriptive text" -Roles <"Role1","Role2"...>
    
    • The Roles parameter specifies the management roles to assign to the role group by using the following syntax "Role1","Role1",..."RoleN". You can see the available roles by using the Get-ManagementRole cmdlet.

    • The Members parameter specifies the members of the role group by using the following syntax: "Member1","Member2",..."MemberN". You can specify users, mail-enabled universal security groups (USGs), or other role groups (security principals).

    This example creates a new role group named "Limited Recipient Management" with the following settings:

    • The Mail Recipients role is assigned to the role group.

    • The users Kim and Martin are added as members.

    New-RoleGroup -Name "Limited Recipient Management" -Roles "Mail Recipients" -Members "Kim","Martin"
    
  • To copy an existing role group, do the following steps:

    1. Store the role group that you want to copy in a variable using the following syntax:

      $RoleGroup = Get-RoleGroup "<Existing Role Group Name>"
      
    2. Create the new role group using the following syntax:

      New-RoleGroup -Name "<Unique Name>" -Roles $RoleGroup.Roles [-Members <Members>]
      

      The Members parameter specifies the members of the role group by using the following syntax: "Member1","Member2",..."MemberN". You can specify users, mail-enabled universal security groups (USGs), or other role groups (security principals).

      This example copies the Organization Management role group to the new role group named "Limited Organization Management". The role group members are Isabelle, Carter, and Lukas.

      $RoleGroup = Get-RoleGroup "Organization Management"
      New-RoleGroup "Limited Organization Management" -Roles $RoleGroup.Roles -Members "Isabelle","Carter","Lukas"
      

For detailed syntax and parameter information, New-RoleGroup.

Use standalone EOP PowerShell modify the list of members in role groups

  • The Add-RoleGroupMember and Remove-RoleGroupMember cmdlets add or remove individual members one at a time. The Update-RoleGroupMember cmdlet can replace or modify the existing list of members.

  • The members of a role group can be users, mail-enabled universal security groups (USGs), or other role groups (security principals).

To modify the members of a role group, use the following syntax:

Update-RoleGroupMember -Identity "<Role Group Name>" -Members <Members>
  • To replace the existing list of members with the values you specify, use the following syntax: "Member1","Member2",..."MemberN".

  • To selectively modify the existing list of members, use the following syntax: @{Add="Member1","Member2"...; Remove="Member3","Member4"...}.

This example replaces all current members of the Help Desk role group with the specified users.

Update-RoleGroupMember -Identity "Help Desk" -Members "Gabriela Laureano","Hyun-Ae Rim","Jacob Berger"

This example adds Daigoro Akai and removes Valeria Barrio from the list of members on the Help Desk role group.

Update-RoleGroupMember -Identity "Help Desk" -Members @{Add="Daigoro Akai"; Remove="Valeria Barrios"}

For detailed syntax and parameter information, see Update-RoleGroupMember.

Use standalone EOP PowerShell to remove role groups

You can't remove built-in role groups, but you can remove custom role groups that you've created.

To remove a custom role group, use the following syntax:

Remove-RoleGroup -Identity "<Role Group Name>" [-BypassSecurityGroupManagerCheck]

This example removes the Training Administrators role group.

Remove-RoleGroup -Identity "Training Administrators"

For detailed syntax and parameter information, see Remove-RoleGroup.

How do you know these procedures worked?

To verify that you've successfully copied a role group, do either of the following steps:

  • In the EAC, go to Permissions > Admin roles, and verify the role group is listed (or not listed). Select the role group, and verify the settings in the Details pane or click Edit Edit icon. to verify the settings.

  • In Exchange Online PowerShell, replace <Role Group Name> with the name of the role group, and run the following command to verify the role group exists (or doesn't exist) and verify the settings:

    Get-RoleGroup -Identity "<Role Group Name>" | Format-List